modules/ssh/manifests/init.pp

   1 class ssh {
   2         package { [ 'openssh-client', 'openssh-server']:
   3                 ensure => installed
   4         }
   5
   6         service { 'ssh':
   7                 ensure  => running,
   8                 require => Package['openssh-server']
   9         }
  10
  11         ferm::rule::simple { 'dsa-ssh':
  12                 description => 'check ssh access',
  13                 port        => 'ssh',
  14                 target      => 'ssh',
  15         }
  16         ferm::rule { 'dsa-ssh-sources':
  17                 description => 'Allow SSH from DSA',
  18                 chain       => 'ssh',
  19                 rule        => 'saddr ($SSH_SOURCES) ACCEPT'
  20         }
  21
  22         file { '/etc/ssh/ssh_config':
  23                 content => template('ssh/ssh_config.erb'),
  24                 require => Package['openssh-client']
  25         }
  26         file { '/etc/ssh/sshd_config':
  27                 content => template('ssh/sshd_config.erb'),
  28                 require => Package['openssh-server'],
  29                 notify  => Service['ssh']
  30         }
  31         file { '/etc/ssh/userkeys':
  32                 ensure  => directory,
  33                 mode    => '0755',
  34                 require => Package['openssh-server']
  35         }
  36         file { '/etc/ssh/puppetkeys':
  37                 ensure  => directory,
  38                 mode    => '0755',
  39                 purge   => true,
  40                 recurse => true,
  41                 force   => true,
  42                 source  => 'puppet:///files/empty/',
  43                 require => Package['openssh-server']
  44         }
  45         file { '/etc/ssh/userkeys/root':
  46                 content => template('ssh/authorized_keys.erb'),
  47         }
  48
  49         if (versioncmp($::lsbmajdistrelease, '8') >= 0) {
  50                 if ! $has_etc_ssh_ssh_host_ed25519_key {
  51                         exec { 'create-ed25519-host-key':
  52                                 command => 'ssh-keygen -f /etc/ssh/ssh_host_ed25519_key -q -P "" -t ed25519',
  53                         }
  54                 }
  55
  56                 if $systemd {
  57                         package { [ 'libpam-systemd' ]:
  58                                 ensure => installed
  59                         }
  60                 }
  61         }
  62 }